Actionist·Microsoft Graph Security

Microsoft Graph Security

· پراستفاده‌ترین #312

Unified security intelligence across every Microsoft product

بهره‌وریتحلیل دادهDeveloperSecurityاتوماسیون

Microsoft Graph Security is the single API surface that connects alerts, incidents, threat intelligence, and Secure Score data from Microsoft Defender, Sentinel, Entra, Purview, and Intune into one coherent picture. Once connected, your agent monitors your tenant's security posture in real time — triaging alerts, updating incident records, running Advanced Hunting queries, and tracking Secure Score control progress without a human touching the portal. Every security event becomes an automated workflow trigger instead of a manual queue.

استفاده از Microsoft Graph Security با Actionistبازدید از Microsoft Graph Security
میانگین زمان صرفه‌جویی‌شده
11 ساعت
برای هر نفر · در هر ماه
تقریبا 1 روز کاری برگشتی

کار دستی را حذف می‌کند. Eliminates the manual cycle of logging into the Defender and Sentinel portals, cross-referencing alerts, updating incident records, and assembling posture reports — tasks that consume security team hours every week.

زمان‌بندی

عامل Microsoft Graph Security شما چه چیزهایی را خودکار اجرا می‌کند

یک هفته کارهای زمان‌بندی‌شده که عامل Actionist از طرف شما اجرا می‌کند.

28کارهای زمان‌بندی‌شده
7عامل‌های فعال
24/7همیشه روشن
عامل‌ها
چهارشنبهجمعه
چهارشنبه
پنجشنبه
جمعه
7a
8a
9a
10a
11a
12p
1p
2p
3p
4p
5p
6p
گردش‌کارهای چنداپلیکیشنی

Microsoft Graph Security × همه اپلیکیشن‌های دیگر شما

اتوماسیون‌های سرتاسری که چند اپلیکیشن را به هم وصل می‌کنند؛ هرکدام یک خروجی واقعی کسب‌وکار.

6گردش‌کارها
9اپلیکیشن‌های درگیر
حدود 32 ساعتصرفه‌جویی در هفته
6نقش‌های پوشش‌داده‌شده
برای موفقیت مشتری
ویژه4 اپلیکیشن

Alert to resolution in under 60 seconds

When a customer security report arrives by email, your agent reads the alert details from Microsoft Graph Security, immediately updates the alert status and assigns it to the right analyst — then posts a structured incident thread in Slack and books the response call on Google Calendar. The entire triage chain that used to take a CSM 45 minutes of portal-hopping is done before the customer finishes their coffee.

حدود 9 ساعت

زمانی که تیم شما هر هفته و به‌صورت خودکار پس می‌گیرد

جریان کار
تریگر·When a customer emails a suspected security breach or phishing report
تریگر
مرحله 1
Gmail
Receive customer security report email
خواندن
مرحله 2
Microsoft Graph Security
Get security alert by ID linked in report
نوشتن
مرحله 3
Microsoft Graph Security
Update security alert — assign analyst and set status to InProgress
نوشتن
مرحله 4
Slack
Post structured incident thread with alert detail and analyst assignment
نوشتن
مرحله 5
Google Calendar
Book response call between analyst and customer contact
نتیجه
Update security alert — assign analyst and set status to InProgressPost structured incident thread with alert detail and analyst assignmentBook response call between analyst and customer contact
برد اصلی
صرفه‌جویی در هر اجرا
45 دقیقه
اجرا در هفته
~12×
Customer sees action in under a minute
اجرا توسطCustomer Support Agent
بازگشت سرمایه

صرفه‌جویی

چیزی که تیم شما پس می‌گیرد: کارهای دستی‌ای که حذف می‌شوند و ارزشی که ایجاد می‌شود.

بدون Actionist

کاری که امروز دستی انجام می‌دهید

با Actionist

کاری که عامل شما برایتان اجرا می‌کند

  • Sales
    19 دقیقه در هفته
    Manual posture PDF prep

    AE pulls Secure Score screenshots and drafts a security summary PDF before every enterprise security review call.

    عامل Sales
    ۰ دقیقه
    Auto-generate posture brief

    Agent fetches live Secure Score and open alerts, then generates a structured trust brief posted to Slack before the call.

  • Marketing
    14 دقیقه در هفته
    Manual trust centre update

    Marketing manager manually updates the public trust centre page with the latest Secure Score after each quarterly review.

    عامل Marketing
    ۰ دقیقه
    Auto-refresh trust badge

    Agent reads live Secure Score and updates the trust centre page automatically whenever the score changes by more than 3 points.

  • Customer Support
    19 دقیقه در هفته
    Portal alert triage

    CSM checks the Defender portal after every security-related customer email to find and read the relevant alert.

    عامل Customer Support
    ۰ دقیقه
    Instant alert briefing on email

    Agent detects the customer email, fetches the matching alert, and posts a structured triage card in Slack before the CSM has finished reading the email.

  • Human Resources
    8 دقیقه در هفته
    Manual access review log

    HR analyst manually logs which employee accounts had security alerts in the past 30 days for quarterly access reviews.

    عامل Human Resources
    ۰ دقیقه
    Auto-compile access alert log

    Agent runs an Advanced Hunting query for employee accounts with recent alerts and writes the results to the access review spreadsheet automatically.

  • Finance
    14 دقیقه در هفته
    Quarterly posture export

    Finance analyst logs into the Defender portal and exports Secure Score history manually before every compliance report.

    عامل Finance
    ۰ دقیقه
    Auto-generate compliance export

    Agent pulls the full 90-day Secure Score series and exports a formatted compliance table to the board report document automatically.

  • Operations
    30 دقیقه در هفته
    Manual incident status sync

    Ops engineer manually reads open incidents in Defender and copies status updates into the operations tracking sheet each morning.

    عامل Operations
    ۰ دقیقه
    Auto-sync incident status

    Agent lists all active incidents each morning, updates their status in the ops sheet, and highlights any SLA breaches in the daily standup post.

  • Legal
    6 دقیقه در هفته
    Breach notification timeline

    Legal counsel manually checks incident creation timestamps and calculates regulatory notification deadlines for each new incident.

    عامل Legal
    ۰ دقیقه
    Auto-calculate breach deadlines

    Agent reads new incident creation time, calculates the regulatory notification deadline, and adds a calendar reminder for legal counsel automatically.

+ صدها اتوماسیون دیگر Microsoft Graph Security
میانگین ماهانه
11 ساعت / نفر / ماه
میانگین ماهانه
11 ساعت / نفر / ماه
محاسبه‌گر

محاسبه کنید تیم شما چه چیزی ذخیره می‌کند

اندازه تیم
10 نفر
نرخ ساعتی
20 دلار / ساعت
ساعت ذخیره‌شده / هفته
28
ساعت ذخیره‌شده / سال
1,400
بازگشت سالانه
$28,000

بر اساس الگوی رایج استفاده تیمی از Microsoft Graph Security: کارهای قابل مشاهده به‌علاوه چند اتوماسیون دیگر که عامل اجرا می‌کند: حدود2.8 ساعت / نفر / هفته کار اداری خودکار می‌شود.

اتصال

چطور Microsoft Graph Security را به Actionist وصل کنید

روش اتصالی را انتخاب کنید که با محیط کاری شما سازگار است.

The Microsoft Graph Security MCP server gives your agent direct access to alerts, incidents, Secure Score, and Advanced Hunting through a single authorised connection — no API plumbing needed on your side.

1
Open the Apps tab

Find Microsoft Graph Security in the Apps library and click Connect. MCP is selected by default.

2
Authorise in Microsoft Graph Security

Sign in with your Microsoft 365 organisational account. Actionist requests the minimum required Graph Security API permissions (SecurityAlert.Read.All, SecurityIncident.ReadWrite.All, SecureScore.Read.All) — you'll see the exact scopes listed before you approve.

3
Test the connection

Actionist runs a read-only call to verify the handshake. You're ready.

اکشن‌ها

15 اکشن که عامل شما می‌تواند اجرا کند

عملیات خواندن و نوشتنی که برای عامل Actionist شما در دسترس است.

تریگرها

7 رویداد که عامل شما می‌تواند به آن واکنش نشان دهد

رویدادهایی که عامل شما زیر نظر می‌گیرد و در پاسخ به آن‌ها اکشن اجرا می‌کند.

مهارت‌ها

مهارت‌هایی که با Microsoft Graph Security خوب کار می‌کنند

مهارت‌های قابل استفاده مجدد عامل که کنار این اپلیکیشن مفید هستند.

LinkedIn

LinkedIn API integration with managed OAuth. Share posts, manage profile, run ads, and access LinkedIn features. Use this skill when users want to share cont...

Microsoft Excel

Microsoft Excel API integration with managed OAuth. Read and write Excel workbooks, worksheets, ranges, tables, and charts stored in OneDrive. Use this skill when users want to read or modify Excel spreadsheets, manage worksheet data, work with tables, or access cell values. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

Microsoft To Do

Microsoft To Do API integration with managed OAuth. Manage task lists, tasks, checklist items, and linked resources. Use this skill when users want to create, read, update, or delete tasks and task lists in Microsoft To Do. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway). Requires network access and valid Maton API key.

سرورهای MCP

سرورهای MCP سازگار با Microsoft Graph Security

Actionist را به سرورهای MCP ساخته‌شده برای این اپلیکیشن یا پیرامون آن وصل کنید.

Microsoft Learn MCP
رسمی

Official Microsoft Learn MCP Server – real-time, trusted docs & code samples for AI and LLMs.

پرسش‌ها

پرسش‌ها درباره Microsoft Graph Security + Actionist

How do I connect Microsoft Graph Security to Actionist?
Open the Apps tab, find Microsoft Graph Security, and click Connect. Select MCP (recommended) to authenticate with your Microsoft 365 organisational account. Actionist requests exactly the Graph Security API permissions it needs — SecurityAlert.Read.All, SecurityIncident.ReadWrite.All, SecureScore.Read.All — and you approve the scopes in the Microsoft consent screen. The connection is live in under two minutes.
What Microsoft 365 permissions does Actionist need?
For read-only security monitoring your agent needs SecurityAlert.Read.All, SecurityIncident.Read.All, and SecureScore.Read.All. Add SecurityAlert.ReadWrite.All and SecurityIncident.ReadWrite.All to let the agent update alert status, assign analysts, and close incidents. Advanced Hunting requires ThreatHunting.Read.All. Actionist requests only the scopes you approve — you can grant read-only first and expand later.
Which Microsoft security products does this connection cover?
Microsoft Graph Security is a unified API layer, so your agent gains visibility across Microsoft Defender for Endpoint, Defender for Office 365, Microsoft Sentinel, Microsoft Entra (Azure AD) Identity Protection, Microsoft Purview, and Microsoft Intune — all through the same connection. You don't need separate credentials for each product; the Graph Security API aggregates alerts and incidents from every connected Microsoft security service in your tenant.
Can my agent update alert and incident records, or only read them?
Yes — with write permissions granted, your agent can update alert status (Active, InProgress, Resolved), assign alerts and incidents to specific analysts, set classification and determination (TruePositive, FalsePositive, BenignPositive), add custom tags, and modify incident severity. Update permissions are separate from read permissions, so you can start read-only and add write access when you're ready to automate response actions.
How does Advanced Hunting work with my agent?
Your agent can execute KQL queries against Microsoft Defender's Advanced Hunting dataset, which covers up to 30 days of raw telemetry including device events, network connections, file activity, and sign-in records. Write the KQL in your workflow, pass it to the Run advanced hunting query action, and the agent returns matching rows as structured JSON your workflow can act on — for example, creating incidents for every hit or posting results to Slack.
How often can my agent poll for new alerts or incidents?
Microsoft Graph Security API rate limits are generous for automation use cases — up to 150 requests per minute per app. For near-real-time monitoring, your agent can poll for new alerts every minute without hitting limits. For Advanced Hunting queries, which are more resource-intensive, Microsoft recommends no more than 10 concurrent queries per tenant. Actionist manages retries with exponential backoff automatically if a transient rate limit is hit.
Does this work with both Microsoft 365 E5 and lower-tier licences?
Core alert and incident APIs are available with Microsoft 365 E3 or Microsoft Defender Plan 1 licensing. Secure Score and Secure Score control profiles require Microsoft 365 E3 or higher. Advanced Hunting (KQL queries) requires Microsoft Defender for Endpoint Plan 2 or Microsoft 365 E5. Your agent will surface only the data your tenant licence grants access to — any out-of-scope calls return a permission error rather than silently failing.
Can I disconnect or revoke Actionist's access to Microsoft Graph Security?
Yes. Open the Apps tab, find Microsoft Graph Security, and click Disconnect. Your agent immediately loses API access. You can also revoke consent directly in the Microsoft Entra admin centre under Enterprise Applications — find the Actionist app registration and delete the granted permissions. Either method fully revokes access; no data is retained by Actionist after disconnection.